I have a site that has anonymous access disabled and uses only IIS basic authentication. The site's home directory only has the MACHINENAME\Users group with permissions. I have one user that I don't want to be able to log-in to this site, so I thought all I would need to do is take that user out of the Users group, but doing so still allows him to authenticate. I know it is the Users group that is allowing authentication because if I remove that group's permissions on the directory, he is not allowed to log in.
Is there something special about the Users group that makes it so you are actually always a part of it?
Is the only solution to revoke the Users group's permissions on the site's home directory and grant a new group access that contains only the allowed users?
How are you limiting the access to just the Users Group? The iis authentication is just authentication, not access control. e.g. if it's an asp.net site, you can set access to individual accounts / groups etc.
Normally, removing a user from a group requires the user to log off and back on as group membership is contained in the access token for the user, so a log off and log on is required in order to get a new access token reflecting the new group membership.
I'm not sure how this works with local groups but have the user log off and back on to their workstation and see if it helps. If not, you might try rebooting the server.
Add that user to the site's home directory with an explicit deny?
You need to be compatible with the article KB 812614 for the Web site to work in IIS. Add a particular user in the "Deny log on locally" to deny access for that particular user.
What does the membership of the Users group look like? Do you by chance have authenticated users or domain users in there?